Transcription

2 Organizations continued to battle challenges to achieving cybersecurity risk management Image: Getty # Used with permission U.S. Executive Order (EO) initiated a dialogue to identify challenges and determine effective responses. Industry responded to a NIST RFI: Trying to prioritize security activities without context seems like Whack-a-Mole IT Security budget is a zero-sum game; every dollar spent on compliance is a dollar not spent on riskmanagement Application of security controls needs to be scalable Challenge balancing performance and conformance Need for better risk dialogue with executive management

3 What is CForum? In the next few slides, we ll provide some details about CForum CForum continues the conversation started during the Cybersecurity Framework workshops as: a place to collaborate about measuring and improving cybersecurity an environment for discussing emerging threats to cybersecurity information and operation technology a forum for thought leaders to share information Cyber.SecurityFramework.org 3

5 We also need a common language to help normalize and optimize activities Goal: Comply once use many NIST identified >450 commonly used standards & practices Many of these share categories and families of controls in common Keeping up with multiple compliance frameworks is resource intensive and costly Need to express requirements and status to supply chain partners For example: NIST SP Control AC-3, ISO 27002:2013 A.9.4.1, and IEC FDP_ACC.2 all point to access control processes 5

9 CForum can help identify others examples of use that can save your organization time Apply the Framework s flexibility to achieve organizational cybersecurity goals Learn how different organizations use it in different ways with different tools to achieve Framework outcomes 9

10 The Cybersecurity Framework in Action: An Intel Use Case Intel Corporation described how they used the Framework model to create a heat map for communicating and prioritizing cybersecurity activity among internal functional areas 10

11 AWWA Guidance and Cybersecurity Tool American Water Works Association has developed Process Control System Security Guidance for the Water Sector and a supporting Cybersecurity Use-Case Tool. The AWWA s cybersecurity resources are designed to provide actionable information for utility owner/operators based on their use of process control systems. 11

13 CForum provides a venue for sharing risk information with other organizations ISACs and Sector Coordinating organizations use CForum to share information about emerging threats, and successful incident response methods Organizations can compare notes about how to characterize risks & threats Users should not share corporate or sensitive data, but general information can protect the community 13

14 Why re-invent the wheel? Leverage shared templates to accelerate improvement Take advantage of lessons learned by others Jump start use of cybersecurity resources by using shared templates Identify opportunities for consistency within and across critical infrastructure sectors 14

15 Continue the conversation! Federal agencies are jump starting but aren t the longterm solution - management will eventually transfer to Industry Industry needs to own and lead cybersecurity management practices Businesses bring real-world understanding of the challenges and solutions Take advantage of the examples and lessons learned Help provide topics that speak the language of business Cyber.SecurityFramework.org 15

PROTIVITI FLASH REPORT Cybersecurity Framework: Where Do We Go From Here? February 25, 2014 Just over a year ago, President Barack Obama signed an Executive Order (EO) calling for increased cybersecurity

Executive Order 13636: The Healthcare Sector and the Cybersecurity Framework September 23, 2014 Executive Order: Improving Critical Infrastructure Cybersecurity It is the policy of the United States to

Introduction The (CIS) hereby submits this response to the National Institute of Standards and Technology (NIST) Request for Information (RFI) pursuant to the notice published in the Federal Register on

www.pwc.com/cybersecurity Why you should adopt the NIST Cybersecurity Framework May 2014 The National Institute of Standards and Technology Cybersecurity Framework may be voluntary, but it offers potential

Framework for Improving Critical Infrastructure Cybersecurity 18 November 2015 grance@nist.gov cyberframework@nist.gov National Institute of Standards and Technology About NIST NIST s mission is to develop

Water Sector Approach to Cybersecurity Risk Management Wasser Berlin International March 24, 2015 Copyright 2015 American Water Works Association Cyber Threats are Real Director of National Intelligence

The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013. The Executive Order calls for the development of a voluntary risk based Cybersecurity Framework

Before the DEPARTMENT OF COMMERCE National Telecommunications and Information Administration Washington, DC 20230 In the Matter of Stakeholder Engagement on Cybersecurity in the Digital Ecosystem Docket

F Critical Manufacturing Cybersecurity Framework Implementation Guidance i Foreword The National Institute of Standards and Technology (NIST) released the 2014 Framework for Improving Critical Infrastructure

State Agency Cybersecurity Survey v 3.4 The purpose of this survey is to identify your agencies current capabilities with respect to information systems/cyber security and any challenges and/or successes

Cybersecurity in the Water Sector Copyright 2015 American Water Works Association Overview Reality of the Threat Environment Water Sector Cyber Risk Management Key Resources Connectivity = Exposure Process

Billing Code: 3510-EA DEPARTMENT OF COMMERCE Office of the Secretary National Institute of Standards and Technology National Telecommunications and Information Administration [Docket Number: 130206115-3115-01]

Partnership for Cyber Resilience Principles for Cyber Resilience 1. Recognition of interdependence: All parties have a role in fostering a resilient shared digital space 2. Role of leadership: Encourage

WILLIS SPECIAL REPORT: 10K DISCLOSURES HOW RETAIL COMPANIES DESCRIBE THEIR CYBER LIABILITY EXPOSURES This special report examines the cyber risk disclosures made by the retail sector of the Fortune 1000.

Cybersecurity Framework Security Policy Mapping Table The following table illustrates how specific requirements of the US Cybersecurity Framework [1] are addressed by the ISO 27002 standard and covered

Data Breach Response Planning: Laying the Right Foundation September 16, 2015 Presented by Paige M. Boshell and Amy S. Leopard babc.com ALABAMA I DISTRICT OF COLUMBIA I FLORIDA I MISSISSIPPI I NORTH CAROLINA

Risk Management in Practice A Guide for the Electric Sector Annabelle Lee Senior Technical Executive ICCS European Engagement Summit April 28, 2015 Before we continue let s get over our fears and myths

Before the United States Department of Commerce and the National Institute of Standards and Technology In the Matter of ) Experience with the Framework for ) Improving Critical Infrastructure Cybersecurity

Foreword The National Institute of Standards and Technology (NIST) released the 2014 Framework for Improving Critical Infrastructure Cybersecurity (Framework) as a voluntary, risk-based set of standards

A Funny Thing Happened On The Way To OASIS: From Specifications to Standards Richard Struse Chief Advanced Technology Officer, NCCIC US Department of Disclaimer This presentation is intended for informational

istockphoto/ljupco 36 June 2015 practicallaw.com The NIST Cybersecurity Framework Data breaches in organizations have rapidly increased in recent years. In 2014, the National Institute of Standards and

The Cybersecurity Framework and the SAFETY Act a Primer for Temple Business School MARCH 31, 2014 2013 Venable LLP 1 EO 13636: Improving Critical Infrastructure Cybersecurity Directs to NIST to develop

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 The following consists of the joint explanatory statement to accompany the Cybersecurity Act of 2015. This joint explanatory statement

Program Program Overview Cyber/physical security and data privacy have become critical priorities for electric utilities. The evolving electric sector is increasingly dependent on information technology

Framework for Improving Critical Infrastructure Cybersecurity January 2016 cyberframework@nist.gov Improving Critical Infrastructure Cybersecurity It is the policy of the United States to enhance the security

A Funny Thing Happened On The Way To OASIS: From Specifications to Standards Tom Millar Chief of Communications, US-CERT FIRST Berlin, June 18 th, 2015 Disclaimer This presentation is intended for informational

www.pwc.com/cybersecurity Cybersecurity Briefing June 25, 2014 The views expressed in these slides are solely the views of the presenters and do not necessarily reflect the views of the PCAOB, the members

IDENTIFY (ID) Asset Management (AM): The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative